Identity-Based Cryptosystems and Quadratic Residuosity

Abstract

Three approaches are currently used for devising identity-based encryption schemes. They respectively build on pairings, quadratic residues (\(\mathsf {QR}\)), and lattices. Among them, the \(\mathsf {QR}\)-based scheme proposed by Cocks in 2001 is notable in that it works in standard RSA groups: its security relies on the standard quadratic residuosity assumption. But it has also a number of deficiencies, some of them have been subsequently addressed in follow-up works. Currently, one of the main limitations of Cocks’ scheme resides in its apparent lack of structure. This considerably restricts the range of possible applications. For example, given two Cocks ciphertexts, it is unknown how to evaluate of a function thereof.

Cocks’ scheme is believed to be non-homomorphic. This paper disproves this conjecture and proposes a constructive method for computing over Cocks ciphertexts. The discovery of the hidden algebraic structure behind Cocks encryption is at the core of the method. It offers a better understanding of Cocks’ scheme. As a further illustration of the importance of the knowledge of the underlying structure, this paper shows how to anonymize Cocks ciphertexts without increasing their size or sacrificing the security.

Finally and of independent interest, this paper presents a simplified version of the abstract identity-based cryptosystem with short ciphertexts of Boneh, Gentry, and Hamburg.

Notes

Acknowledgments

Let \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\) be adversary that can break the \(\mathsf {IND}\)-\(\mathsf {ID}\)-\(\mathsf {CPA}\) security of the generalized scheme described in Sect. 3.1 with probability \(\epsilon \). We will use \(\mathcal {A}\) to decide whether a random element w in \(\mathbb {J}_N\) is quadratic residue modulo N or not.

Give s and \(C_b = (c_b,\bar{c}_b)\) to \(\mathcal {A}_2^{\mathtt {EXTRACT}_{\mathsf {msk}}(\cdot ),\mathcal {H}(\cdot )}\) —\(\mathcal {A}_2\) may issue more extraction and hash queries, after what it returns its guess \(b'\);

iii.

If \(b'=b\) return 1; otherwise return 0.

(b)

If \(\mathcal {H}(\mathsf {id}^*) \ne w\) then

i.

Choose a random bit \(b' \in \{0,1\}\);

ii.

Return \(b'\).

It remains to detail how \(\mathcal {D}\) simulates answers to oracle queries. \(\mathcal {D}\) maintains a history list \(\mathsf {Hist}[\mathcal {H}]\) composed of triplets. The list is initialized to \(\emptyset \). It also maintains a counter k initialized to 0. Let \(q_{H_1}\) denote the number of hash queries that are not followed by extract queries and let \(q_{E_1}\) denote the number of extract queries, made by \(\mathcal {A}_1\). Without loss of generality, we assume that \(\mathcal {A}_1\) issues a hash query on \(\mathsf {id}^*\). Finally, we let \(k_1\) denote a random integer in \(\{1, \cdots , q_{H_1}+q_{E_1}\}\) chosen by \(\mathcal {D}\).

Hash Queries. When \(\mathcal {A}\) queries oracle \(\mathcal {H}\) on some \(\mathsf {id}\), \(\mathcal {D}\) checks whether there is an entry of the form \((\mathsf {id}, h, r)\) in \(\mathsf {Hist}[\mathcal {H}]\); i.e., a triplet with \(\mathsf {id}\) as the first component. If so, it returns h. Otherwise, it does the following:

Extraction Queries. When \(\mathcal {A}\) queries oracle \(\mathtt {EXTRACT}\) on some \(\mathsf {id}\), \(\mathcal {D}\) checks whether there is an entry of the form \((\mathsf {id}, h, r)\) in \(\mathsf {Hist}[\mathcal {H}]\). If not, it calls \(\mathcal {H}(\mathsf {id})\) so that there is an entry. Let \((\mathsf {id}, h, r)\) denote the entry in \(\mathsf {Hist}[\mathcal {H}]\) corresponding to \(\mathsf {id}\). Depending on it, \(\mathcal {D}\) does the following:

1.

If \(r \ne \bot \) then return r;

2.

If \(r = \bot \) then abort.

We now analyze the success probability of \(\mathcal {D}\) in solving the \(\mathsf {QR}\) challenge. Since u is an element in \(\mathbb {J}_N \setminus \mathbb {QR}_N\), the resulting \(\mathsf {mpk}\) appear as valid system parameters. Three subcases can be distinguished.

which must be negligible by the \(\mathsf {QR}\) assumption. As a consequence, \(|\epsilon - \tfrac{1}{2}|\) must be negligible, which means that the scheme is \(\mathsf {IND}\)-\(\mathsf {ID}\)-\(\mathsf {CPA}\) secure under the \(\mathsf {QR}\) assumption.

A.2 Second Case: u Is Random

In this case, the proof can be obtained along the lines of the proof offered in [8, Appendix B.2] for the Boneh-Gentry-Hamburg scheme. The proof features a tight reduction. It however crucially requires that parameter u is defined as a random element in \(\mathbb {J}_N\setminus \mathbb {QR}_N\).

B Arithmetic in \(\mathcal {Z}_{N,\varDelta }\)

As mentioned in Sect. 4.2, each element u of the group \(\mathcal {Z}_{N,\varDelta } = \mathcal {F}_{\!p,\varDelta } \times \mathcal {F}_{\!q,\varDelta }\) can be uniquely represented by a pair \([u_p, u_q]\) with \(u_p \in \mathcal {F}_{\!p,\varDelta }\) and \(u_q \in \mathcal {F}_{\!q,\varDelta }\), and \(\infty = [\infty _p, \infty _q]\). There is a slight complication when doing arithmetic in \(\mathcal {Z}_{N,\varDelta }\) as we need to deal with the elements of the form \([u_p, \infty _q]\) or \([\infty _p, u_q]\). This can be circumvented by adopting a projective representation. An element \(u \in \mathcal {Z}_{N,\varDelta }\) can be written as a pair (U : Z). We say that two elements \(u = (U:Z)\) and \(u'=(U':Z')\) are equivalent if there exists some \(\lambda \in (\mathbb {Z}/N\mathbb {Z})^\times \) such that \(U' = \lambda U\) and \(Z' = \lambda Z\). Hence, from the definition of \(\psi ^{-1}\), we can represent \(\mathcal {Z}_{N,\varDelta }\) as

C Some Variants of Cocks’ Scheme

The \(\mathbf{HOM}\) is dependent of the cryptosystem. We propose below some variants of Cocks’ scheme that leads to better efficiency. In particular, obtaining the encryption of the complementary value is almost free.

Complementary Encryption. Given the encryption of a message \(m \in \{\pm 1\}\), it is easy to get the encryption of the complementary value. If \(C = (\varepsilon , c,\bar{\varepsilon },\bar{c})\) is the encryption of \(m \in \{\pm 1\}\) then \(C' = (-\varepsilon ,c,-\bar{\varepsilon },\bar{c})\) is the encryption of \(-m\).

D Public-Key Encryption with Keyword Search

A prominent application of anonymous IBE scheme resides in public-key encryption with keyword search (or PEKS) [6]. Basically, PEKS is a form of encryption that allows searching on data that is encrypted using a public-key system. A typical application is for an email gateway to test whether or not the keyword “urgent” is present in an email. The gateway then routes the email if it is the case. Of course the gateway should only learn whether the word “urgent” is present but nothing else about the email. In the email use-case, another practical application is to test the sender’s name of the email and to route the emails accordingly. Further applications for PEKS can be found in [1, 6]. Of particular interest is the concept of temporarily searchable encryption [1, Sect. 6].

In a PEKS scheme, a sender can send messages in encrypted form to a receiver so that the receiver can allow a designated proxy to search keywords in the encrypted messages without incurring any (additional) loss of privacy. In [6], Boneh et al. suggest the following methodology:

The sender encrypts the message being sent with a (regular) public-key cryptosystem;

She appends to the resulting ciphertext a PEKS for each keyword.

In more detail, to encrypt a message m with searchable keywords \(w_1, \cdots , w_n\) for the receiver with public key \(\mathsf {upk}\), the sender computes and sends

The whole ciphertext is \(C = \{c, S_1,\cdots , S_n\}\). Now if the receiver has given a proxy a trapdoor \(T_{w_j}\) for keyword \(w_j\) then this proxy can test whether the corresponding plaintext m contains the keyword \(w_j\), but nothing more.

A conversion to turn an anonymous identity-based scheme (under certain conditions) into a PEKS scheme is developed in [6]. Some subsequent refinements are described in [1]. Applied to the scheme of Sect. 6.2 as a building block, we so obtain a PEKS scheme based on the quadratic residuosity. For slightly better efficiency, instead of verifying whether \(x_i = \mu ^{-1}(\nu _i \cdot \tau _i)\) (\(\in \{0,1\}\)), for \(0 \le i \le k-1\), the \(\mathtt {TEST}\) algorithm equivalently verifies whether \(\tau _i = \nu _i \cdot (1 - 2x_i)\). In detail, the scheme is as follows.

\(\mathtt {TEST}\) returns 1 if and only if \(b_i = 1\) for all \(0 \le i \le k-1\); and 0 otherwise.

E A Remark on Boneh-Gentry-Hamburg Abstract IBE System

Cocks’ scheme was subsequently revisited by Boneh, Gentry, and Hamburg [8]. The advantage of their scheme resides in the length of the ciphertexts. While the encryption of an \(\ell \)-bit message requires \(2\ell \cdot \log _2N\) bits with Cocks’ scheme, ciphertext size in Boneh-Gentry-Hamburg scheme is about \(\ell +\log _2N\) bits.

This section simplifies the abstract IBE system with short ciphertexts as presented in [8, Sect. 3].

E.1 Description

\(\mathtt {SETUP}\) and \(\mathtt {EXTRACT}\) are similar to Cocks’ scheme. \(\mathtt {ENCRYPT}\) and \(\mathtt {DECRYPT}\) require a deterministic algorithm \(\mathcal {Q}\) taking as input an RSA modulus N and three elements \(u, R, S \in \mathbb {Z}/N\mathbb {Z}\) and returning four IBE-compatible polynomials\(f, g, \bar{f}, \tau \in \mathbb {Z}/N\mathbb {Z}[X]\). Polynomials \(f,\bar{f}, g,\tau \) are said IBE-compatible if and only if the following conditions are met:

c1.

If \(R, S \in \mathbb {QR}_N\) then \(f(r)g(s) \in \mathbb {QR}_N\) for all square roots r of R and s of S;

E.2 A Simplified Abstract IBE

As described in the previous section, the abstract Boneh-Gentry-Hamburg system makes use of polynomials \(f, \bar{f}, g, \tau \in \mathbb {Z}/N\mathbb {Z}[X]\). To simplify the notation, we consider one-bit messages but the discussion readily extends to \(\ell \)-bit messages, \(\ell >1\).

We observe that polynomials f and \(\bar{f}\) are evaluated at \(r_\mathsf {id}\) and that polynomials g and \(\tau \) are evaluated at s. Furthermore, we note that the values of \(R_\mathsf {id}\) and of S are publicly known. So, letting \(\delta \) denote the degree of polynomial f and \(f(X) = \sum _{k=0}^\delta f_k \, X^k\) with \(f_k \in \mathbb {Z}/N\mathbb {Z}\), we can write

There is therefore no loss of generality to consider degree-1 polynomials for f. The same conclusion holds for polynomials \(\bar{f}\) (evaluated at \(r_\mathsf {id}\)), and for polynomials g and \(\tau \) (evaluated at s).

so as to fulfill compatibility conditions c3 and c4. Compatibility conditions c5 and c6 are automatically satisfied from the product formula in [8, Lemma 5.1]. If \((f_0, f_1, g_0, g_1)\) is a solution to Eq. (8) and if \((\alpha ,\beta )\) is a solution to \(u\alpha ^2 + S\beta ^2 = 1\) then \((\bar{f}_0, \bar{f}_1, \bar{g}_0, \bar{g}_1)\) is a solution to Eq. (9) provided that